From d4ea56a77ef408347a9d73b36e8066334b8835ea Mon Sep 17 00:00:00 2001 From: friendica Date: Tue, 24 Sep 2013 05:20:29 -0700 Subject: reduce susceptibility to bleichenberger attack --- boot.php | 1 + include/text.php | 2 +- mod/post.php | 24 ++++++++++++++++++------ version.inc | 2 +- 4 files changed, 21 insertions(+), 8 deletions(-) diff --git a/boot.php b/boot.php index 346a0f926..ce7218013 100755 --- a/boot.php +++ b/boot.php @@ -1176,6 +1176,7 @@ function check_config(&$a) { // our URL changed. Do something. $oldurl = hex2bin($saved); + logger('Baseurl changed!'); $oldhost = substr($oldurl,strpos($oldurl,'//')+2); $host = substr(z_root(),strpos(z_root(),'//')+2); diff --git a/include/text.php b/include/text.php index 40df8bd89..be5e2338d 100755 --- a/include/text.php +++ b/include/text.php @@ -1312,7 +1312,7 @@ function get_plink($item) { $a = get_app(); if (x($item,'plink') && ($item['item_private'] != 1)) { return array( - 'href' => $item['plink'], + 'href' => zid($item['plink']), 'title' => t('link to source'), ); } diff --git a/mod/post.php b/mod/post.php index 378192cbf..0e1884d85 100644 --- a/mod/post.php +++ b/mod/post.php @@ -174,18 +174,30 @@ function post_post(&$a) { if(array_key_exists('iv',$data)) { $data = aes_unencapsulate($data,get_config('system','prvkey')); logger('mod_zot: decrypt1: ' . $data, LOGGER_DATA); - if(! $data) { - $ret['message'] = 'Decryption failed.'; - json_return_and_die($ret); - } + +// susceptible to Bleichenberger attack +// if(! $data) { +// $ret['message'] = 'Decryption failed.'; +// json_return_and_die($ret); +// } $data = json_decode($data,true); } if(! $data) { - $ret['message'] = 'No data received.'; - json_return_and_die($ret); + + // possible Bleichenberger attack, just treat it as a + // message we have no handler for. It should fail a bit + // further along with "no hub". Our public key is public + // knowledge. There's no reason why anybody should get the + // encryption wrong unless they're fishing or hacking. If + // they're developing and made a goof, this can be discovered + // in the logs of the destination site. If they're fishing or + // hacking, the bottom line is we can't verify their hub. + // That's all we're going to tell them. + + $data = array('type' => 'bogus'); } logger('mod_zot: decoded data: ' . print_r($data,true), LOGGER_DATA); diff --git a/version.inc b/version.inc index 451a8e715..713343a75 100644 --- a/version.inc +++ b/version.inc @@ -1 +1 @@ -2013-09-23.445 +2013-09-24.446 -- cgit v1.2.3